[Bug 795418] Re: CVE-2011-1577

Mon, 01 Aug 2011 20:21:54 -0700 

** Changed in: linux-ti-omap4 (Ubuntu Oneiric)
       Status: Confirmed => Fix Committed

** Description changed:

  Heap-based buffer overflow in the is_gpt_valid function in
  fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows
  physically proximate attackers to cause a denial of service (OOPS) or
- possibly have unspecified other impact via a crafted size of the EFI GUID
- partition-table header on removable media.
+ possibly have unspecified other impact via a crafted size of the EFI
+ GUID partition-table header on removable media.
  
  Fixed-by: 3eb8e74ec72736b9b9d728bad30484ec89c91dde
- 
- 
- commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde
- Author: Timo Warns <[email protected]>
- Date:   Thu May 26 16:25:57 2011 -0700
- 
-     fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
-     
-     The kernel automatically evaluates partition tables of storage devices.
-     The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
-     a bug that causes a kernel oops on certain corrupted GUID partition
-     tables.
-     
-     This bug has security impacts, because it allows, for example, to
-     prepare a storage device that crashes a kernel subsystem upon connecting
-     the device (e.g., a "USB Stick of (Partial) Death").
-     
-         crc = efi_crc32((const unsigned char *) (*gpt), 
le32_to_cpu((*gpt)->head
-     
-     computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
-     There is no validation of (*gpt)->header_size before the efi_crc32 call.
-     
-     A corrupted partition table may have large values for (*gpt)->header_size.
-      In this case, the CRC32 computation access memory beyond the memory
-     allocated for gpt, which may cause a kernel heap overflow.
-     
-     Validate value of GUID partition table header size.
-     
-     [[email protected]: fix layout and indenting]
-     Signed-off-by: Timo Warns <[email protected]>
-     Cc: Matt Domsch <[email protected]>
-     Cc: Eugene Teo <[email protected]>
-     Cc: Dave Jones <[email protected]>
-     Signed-off-by: Andrew Morton <[email protected]>
-     Signed-off-by: Linus Torvalds <[email protected]>

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/795418

Title:
  CVE-2011-1577

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/795418/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to